When looking up security risks on the net I find that all research being cited (if any is cited) always seems to come from the Anti-Malware companies. (just e.g., this article cites F-secure, AVG and McAfee).

I mostly do "research" of this kind to check how dangerous the latest IT security headlines in the media really are. (That is: Dangerous for my granny?, for my sister?, or for me? as someone who knows his way around.)

While I think myself not being prone to any "conspiracy theories", I find it a tad disappointing that all research and professional statements wrt. to security risks to me and my family that I seem to be able to find, seem to be by the companies trying to sell their Anti-* packages.

Are there any "independent" parties (like uni deps, gov agencies), that publish infos wrt. to new security threats?

(Note: I'm not saying that they'll be free of any bias, but they'll have slightly different bias, or so I hope :-) )

Edit: After a few answers and comments, it seems the case may be that (mass) media are very often citing the malware-companies, as these do easily quoted press releases on new security risks to consumers.

Does Universities count as independent organizations? If so, you will find a lot of research papers who cites other research papers as well...
–
Dog eat cat worldJul 31 '11 at 19:40

There are many from non-antivirus researchers, but you have to be aware that the big antivirus companies see the value in hiring highly skilled malware researchers, so it makes sense that a lot of research comes from these companies.
–
Rory Alsop♦Jul 31 '11 at 21:32

3

Universities and independent folks do security research all the time. "Threats" are generally defined as the people and organizations that threaten you, see intel.com/it/pdf/threat-agent-library.pdf And "risks" can be pretty generic. I'm guessing you're talking about assessments of recent attacks and vulnerabilities?
–
nealmcbAug 1 '11 at 1:56

@nealmcb - Good to hear that they are doing research. Bad that the media choose to cite the anti-malware-corp press releases instead.
–
MartinAug 1 '11 at 5:55

2 Answers
2

There are a gazillion independent organizations and people that publish information on computer security. The problem is not finding them; the problem is keeping track of all of these sources of information. Two example starting places include Bruce Schneier's blog and Krebs on Security.

If you think that all computer security research comes from anti-malware companies, you aren't looking at the right sources. There are many others who also publish computer security research -- including, you know, professional researchers in universities, industry research labs, independent testing labs, and so on.

Another note of caution: There are some in the industry who would like to hijack the word "research" to mean something like, e.g., finding a new vulnerability in some random web site. Those folks are trying to free-load upon the positive credibility and reputation associated with scientific research. Don't be taken in. There is an older, established meaning for the word "research", and there is an entire community engaged in scientific research into computer security who act very differently.

A general comment: It is possible that your question may be too broad to fully address your needs. If you see some particular research that you would like an independent view on, why not try posting a question specifically about that?

@D.W., I think the point "There is an older, established meaning for the word "research", and there is an entire community engaged in scientific research into computer security who act very differently." needs elaboclarification. For example, what "acts" are you talking about?
–
PacerierMay 4 at 23:22

@Pacerier, sorry, I didn't intend that you should read too much into the word "act". I was mostly referring to the issue that the OP asked about, e.g., are independent, have no commercial interest in selling people a product, make their research publicly available.
–
D.W.May 5 at 5:15

@D.W., I mean, I wasn't talking about the word "act", I was talking about How do they "act very differently"? What is the difference between the two parties?
–
PacerierMay 24 at 15:19

You should join full disclosure and bugtraq mailing lists and also follow exploits and papers published by http://www.exploit-db.com/ . Some of the commercial vendor advisories are also based on these public advisories by third parties.